feat(sanitization): Redact 'Cookie' request header by default (#4815)

This is done by adding 'cookie' to the sanitizeFieldNames default set.

Refs: #4006

Author: trentm

docs/reference/configuration.md

@@ -751,7 +751,7 @@ require('elastic-apm-node').start({
 ## `sanitizeFieldNames` [sanitize-field-names]
 
 * **Type:** Array
-* **Default:** `['password', 'passwd', 'pwd', 'secret', '*key', '*token*', '*session*', '*credit*', '*card*', '*auth*', 'set-cookie', '*principal*', 'pw', 'pass', 'connect.sid']`
+* **Default:** `['password', 'passwd', 'pwd', 'secret', '*key', '*token*', '*session*', '*credit*', '*card*', '*auth*', 'set-cookie', '*principal*', 'pw', 'pass', 'connect.sid', 'cookie']`
 * **Env:** `ELASTIC_APM_SANITIZE_FIELD_NAMES`
 * [![dynamic config](images/dynamic-config.svg "") ](/reference/configuring-agent.md#dynamic-configuration) **Central config name:** `sanitize_field_names`
 

docs/release-notes/index.md

@@ -26,6 +26,40 @@ To check for security updates, go to [Security announcements for the Elastic sta
 %
 % ### Fixes [next-fixes]
 
+## Next [next]
+% **Release date:** Month day, year
+
+### Features and enhancements [next-features-enhancements]
+
+* Redact the `Cookie` HTTP request header by default, because it is often sensitive.
+
+    The `Cookie` pattern has been added to the [`sanitizeFieldNames`](/reference/configuration.md#sanitize-field-names) configuration variable. This means that when headers are captured (if `captureHeaders` is enabled, as it is by default), the `Cookie` header will be fully redacted:
+
+    ```
+    http.request.headers.cookie: "[REDACTED]"
+    ```
+
+    The result in earlier versions was to parse the Cookie header and redact only those fields that matched patterns in `sanitizeFieldNames`, for example:
+
+    ```
+    http.request.headers.cookie: "foo=bar; sessionid=REDACTED"
+    ```
+
+    To restore the previous behavior, specify a `sanitizeFieldNames` configuration value that does *not* include 'cookie'. For example:
+
+    ```js
+    require('elastic-apm-node').start({
+      // ...
+      sanitizeFieldNames: ['password', 'passwd', 'pwd', 'secret', '*key', '*token*', '*session*', '*credit*', '*card*', '*auth*', 'set-cookie', '*principal*', 'pw', 'pass', 'connect.sid']
+    });
+    ```
+
+    or:
+
+    ```
+    export ELASTIC_APM_SANITIZE_FIELD_NAMES=password,passwd,pwd,secret,*key,*token*,*session*,*credit*,*card*,*auth*,set-cookie,*principal*,pw,pass,connect.sid
+    ```
+
 ## 4.14.0 [4-14-0]
 **Release date:** Sep 25, 2025
 

lib/config/schema.js

@@ -324,6 +324,8 @@ const CONFIG_SCHEMA = [
       'pw',
       'pass',
       'connect.sid',
+      // Additional ones added to the Node.js APM agent.
+      'cookie', // The "Cookie" HTTP request header is often sensitive.
     ],
     envVar: 'ELASTIC_APM_SANITIZE_FIELD_NAMES',
     centralConfigName: 'sanitize_field_names',

test/instrumentation/transaction.test.js

@@ -584,7 +584,7 @@ test('#_encode() - http request meta data', function (t) {
         host: 'example.com',
         'user-agent': 'user-agent-header',
         'content-length': 42,
-        cookie: 'cookie1=foo; cookie2=bar; session-id=REDACTED',
+        cookie: '[REDACTED]',
         'x-foo': 'bar',
         'x-bar': 'baz',
       },

test/sanitize-field-names/_fixtures.js

@@ -59,6 +59,7 @@ module.exports = [
         'set-cookie': 'twelve',
         'X-Authy-Thing': 'thirteen',
         'X-Ms-Client-Principal': 'fourteen',
+        Cookie: 'fifteen=value',
         keepmeRequest: 'request',
       },
       responseHeaders: {
@@ -76,6 +77,7 @@ module.exports = [
         'set-cookie': 'twelve',
         'X-Authy-Thing': 'thirteen',
         'X-Ms-Client-Principal': 'fourteen',
+        Cookie: 'fifteen=value',
         keepmeResponse: 'response',
       },
       formFields: {
@@ -93,6 +95,7 @@ module.exports = [
         'set-cookie': 'twelve',
         'X-Authy-Thing': 'thirteen',
         'X-Ms-Client-Principal': 'fourteen',
+        Cookie: 'fifteen',
         keepmeForm: 'formFields',
       },
     },
@@ -113,6 +116,7 @@ module.exports = [
           'set-cookie',
           'X-Authy-Thing',
           'X-Ms-Client-Principal',
+          'Cookie',
         ],
         defined: { keepmeRequest: 'request' },
       },
@@ -132,6 +136,7 @@ module.exports = [
           'set-cookie',
           'X-Authy-Thing',
           'X-Ms-Client-Principal',
+          'Cookie',
         ],
         defined: { keepmeResponse: 'response' },
       },
@@ -151,6 +156,7 @@ module.exports = [
           'set-cookie',
           'X-Authy-Thing',
           'X-Ms-Client-Principal',
+          'Cookie',
         ],
         defined: { keepmeForm: 'formFields' },
       },
@@ -176,6 +182,7 @@ module.exports = [
         'set-cookie': 'twelve',
         'X-Authy-Thing': 'thirteen',
         'X-Ms-Client-Principal': 'fourteen',
+        Cookie: 'fifteen=value',
         keepmeRequest: 'request',
       },
       responseHeaders: {
@@ -193,6 +200,7 @@ module.exports = [
         'set-cookie': 'twelve',
         'X-Authy-Thing': 'thirteen',
         'X-Ms-Client-Principal': 'fourteen',
+        Cookie: 'fifteen=value',
         keepmeResponse: 'response',
       },
       formFields: {
@@ -210,6 +218,7 @@ module.exports = [
         'set-cookie': 'twelve',
         'X-Authy-Thing': 'thirteen',
         'X-Ms-Client-Principal': 'fourteen',
+        Cookie: 'fifteen',
         keepmeForm: 'formFields',
       },
     },
@@ -230,6 +239,7 @@ module.exports = [
           'set-cookie',
           'X-Authy-Thing',
           'X-Ms-Client-Principal',
+          'Cookie',
         ],
         defined: { keepmeRequest: 'request' },
       },
@@ -249,6 +259,7 @@ module.exports = [
           'set-cookie',
           'X-Authy-Thing',
           'X-Ms-Client-Principal',
+          'Cookie',
         ],
         defined: { keepmeResponse: 'response' },
       },
@@ -268,6 +279,7 @@ module.exports = [
           'set-cookie',
           'X-Authy-Thing',
           'X-Ms-Client-Principal',
+          'Cookie',
         ],
         defined: { keepmeForm: 'formFields' },
       },